---
title: "Kubernetes RBAC Permissions"
sidebarTitle: "Kubernetes Permissions"
---

This page lists the Kubernetes Roles and ClusterRoles used by Odigos and the Odigos Operator.

# Components

This section lists the RBAC policies used by the Odigos components.

## ClusterRoles

Below are the ClusterRoles used by Odigos components.

### odigos-autoscaler

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | instrumentationconfigs | \* | get<br />list<br />watch |
| odigos.io | sources | \* | get<br />list<br />watch |
| odigos.io | collectorsgroups/finalizers | \* | get<br />patch<br />update |
| admissionregistration.k8s.io | validatingwebhookconfigurations | \* | get<br />list<br />watch |
| admissionregistration.k8s.io | validatingwebhookconfigurations | odigos-action-validating-webhook-configuration | update |

### cleanup-clusterrole

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | sources | \* | list<br />delete |
| \* | pods | \* | list |
| \* | nodes | \* | list<br />patch |

### odigos-instrumentor

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | nodes | \* | list<br />watch<br />get |
| \* | namespaces | \* | list<br />watch<br />get |
| \* | pods | \* | list<br />watch<br />get |
| batch | cronjobs | \* | list<br />watch<br />get |
| apps | daemonsets | \* | get<br />list<br />watch<br />update<br />patch |
| apps | deployments | \* | get<br />list<br />watch<br />update<br />patch |
| apps | statefulsets | \* | get<br />list<br />watch<br />update<br />patch |
| apps | statefulsets/finalizers<br />deployments/finalizers<br />daemonsets/finalizers | \* | update |
| operator.odigos.io | odigos/finalizers | \* | update |
| odigos.io | instrumentationconfigs/status | \* | get<br />patch<br />update |
| odigos.io | instrumentationconfigs | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| odigos.io | sources | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| odigos.io | sources/finalizers | \* | update |
| admissionregistration.k8s.io | mutatingwebhookconfigurations | \* | get<br />list<br />watch |
| admissionregistration.k8s.io | mutatingwebhookconfigurations | odigos-source-mutating-webhook-configuration<br />odigos-pod-mutating-webhook-configuration | update |
| admissionregistration.k8s.io | validatingwebhookconfigurations | \* | get<br />list<br />watch |
| admissionregistration.k8s.io | validatingwebhookconfigurations | odigos-source-validating-webhook-configuration | update |

### odiglet

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | pods | \* | get<br />list<br />watch |
| \* | pods/status | \* | get |
| \* | pods/finalizers | \* | update |
| \* | nodes | \* | get<br />list<br />watch<br />patch<br />update |
| odigos.io | instrumentationinstances | \* | create<br />get<br />list<br />patch<br />update<br />watch<br />delete |
| odigos.io | instrumentationinstances/status | \* | get<br />patch<br />update |
| odigos.io | instrumentationconfigs | \* | get<br />list<br />watch<br />patch<br />update |
| odigos.io | instrumentationconfigs/status | \* | get<br />patch<br />update |
| \* | nodes/stats<br />nodes/proxy | \* | get<br />list |
| \* | pods<br />namespaces | \* | get<br />list<br />watch |
| apps | replicasets<br />deployments<br />daemonsets<br />statefulsets | \* | get<br />list<br />watch |
| \* | endpoints | \* | get<br />list<br />watch |

### odigos-scheduler

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| odigos.io | instrumentationconfigs | \* | get<br />list<br />watch |
| \* | configmaps/finalizers | \* | update |
| batch | cronjobs | \* | list<br />watch |
| \* | configmaps | \* | list |

### odigos-ui

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | namespaces | \* | get<br />list<br />patch |
| apps | deployments<br />statefulsets<br />daemonsets | \* | get<br />list<br />update<br />patch |
| batch | cronjobs | \* | get<br />list<br />update<br />patch |
| apps | replicasets | \* | get<br />list |
| \* | services | \* | get<br />list |
| \* | pods | \* | get<br />list<br />watch |
| odigos.io | instrumentationconfigs<br />instrumentationinstances | \* | get<br />list<br />watch |
| odigos.io | sources | \* | get<br />list<br />patch<br />create<br />delete |

## Roles

Below are the Roles used by Odigos components. These Roles are only scoped to the Namespace in which Odigos is installed.

### odigos-autoscaler

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | configmaps | \* | get<br />list<br />watch<br />create<br />patch<br />update<br />delete |
| \* | services | \* | get<br />list<br />watch<br />create<br />patch<br />update<br />delete<br />deletecollection |
| apps | daemonsets | \* | get<br />list<br />watch<br />create<br />patch<br />update<br />delete<br />deletecollection |
| apps | daemonsets/status | \* | get |
| apps | deployments | \* | create<br />delete<br />deletecollection<br />get<br />list<br />patch<br />update<br />watch |
| apps | deployments/status | \* | get |
| autoscaling | horizontalpodautoscalers | \* | create<br />patch<br />update<br />delete |
| \* | secrets | \* | get<br />list<br />watch |
| \* | secrets | autoscaler-webhooks-cert | update |
| \* | secrets | autoscaler-webhook-cert | delete |
| odigos.io | destinations | \* | get<br />list<br />watch |
| odigos.io | destinations/status | \* | get<br />patch<br />update |
| odigos.io | processors | \* | get<br />list<br />watch<br />create<br />patch<br />update |
| actions.odigos.io | \* | \* | get<br />list<br />watch<br />update |
| actions.odigos.io | */status | \* | get<br />patch<br />update |
| odigos.io | collectorsgroups | \* | get<br />list<br />watch |
| odigos.io | collectorsgroups/status | \* | get<br />patch<br />update |
| odigos.io | actions | \* | get<br />list<br />watch<br />create<br />patch<br />update |
| odigos.io | actions/status | \* | get<br />patch<br />update |

### cleanup-role

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | configmaps | odigos-deployment<br />odigos-configuration | get |
| \* | configmaps | \* | list |
| \* | configmaps | odigos-config | get<br />delete |

### odiglet

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | configmaps | odigos-data-collection | get<br />list<br />watch |

### odigos-gateway

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | configmaps | odigos-gateway | get<br />list<br />watch |

### odigos-instrumentor

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | configmaps | effective-config | get<br />list<br />watch |
| odigos.io | collectorsgroups | \* | get<br />list<br />watch |
| odigos.io | collectorsgroups/status | \* | get<br />list<br />watch |
| odigos.io | destinations | \* | get<br />list<br />watch |
| odigos.io | instrumentationrules | \* | get<br />list<br />watch |
| odigos.io | instrumentationrules/status | \* | get<br />patch<br />update |
| \* | secrets | \* | get<br />list<br />watch |
| \* | secrets | instrumentor-webhooks-cert | update |
| \* | secrets | webhook-cert | delete |
| apps | daemonsets | odiglet | get<br />list<br />watch |

### odigos-leader-election-role

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | events | \* | create<br />patch |
| coordination.k8s.io | leases | \* | get<br />list<br />watch<br />create<br />update<br />patch<br />delete |

### odigos-scheduler

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | configmaps | \* | get<br />list<br />watch |
| \* | configmaps | effective-config<br />odigos-deployment<br />odigos-go-offsets | patch<br />create<br />update |
| \* | configmaps | odigos-config | delete |
| odigos.io | collectorsgroups | \* | get<br />list<br />create<br />patch<br />update<br />watch<br />delete |
| odigos.io | collectorsgroups/status | \* | get |
| odigos.io | instrumentationrules<br />processors<br />actions | \* | get<br />list<br />watch<br />patch<br />delete<br />create |
| \* | secrets | \* | get<br />list<br />watch |
| batch | cronjobs | odigos-go-offsets-updater | get<br />list<br />watch<br />create<br />update<br />patch<br />delete |
| apps | daemonsets | odiglet | patch |
| apps | deployments | odigos-scheduler | get<br />list<br />watch |
| odigos.io | destinations | \* | get<br />list<br />watch |

### odigos-ui

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | configmaps | \* | get<br />list<br />update<br />patch |
| \* | secrets | \* | get<br />list<br />create<br />patch<br />update<br />delete |
| odigos.io | instrumentationrules<br />destinations | \* | get<br />list<br />create<br />patch<br />update<br />delete |
| odigos.io | destinations | \* | watch |
| odigos.io | collectorsgroups | \* | get<br />list |
| odigos.io | actions | \* | get<br />list<br />create<br />patch<br />update<br />delete |

# Operator

This section lists the RBAC policies used by the Odigos Operator. Many of these permissions are necessary in order to create the RBAC policies for the components listed above.

## ClusterRoles

| APIGroups | Resources | Resource Names | Verbs |
|---|---|---|---|
| \* | configmaps<br />endpoints<br />secrets | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| \* | configmaps/finalizers<br />pods/finalizers | \* | update |
| \* | events | \* | create<br />patch |
| \* | namespaces | \* | get<br />list<br />patch<br />watch |
| \* | nodes | \* | get<br />list<br />patch<br />update<br />watch |
| \* | nodes/proxy<br />nodes/stats | \* | get<br />list |
| \* | pods | \* | get<br />list<br />watch |
| \* | pods/status | \* | get |
| \* | serviceaccounts | \* | create<br />delete<br />get<br />list<br />patch<br />watch |
| \* | services | \* | create<br />delete<br />deletecollection<br />get<br />list<br />patch<br />update<br />watch |
| actions.odigos.io | \* | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| actions.odigos.io | */status | \* | get<br />patch<br />update |
| admissionregistration.k8s.io | mutatingwebhookconfigurations<br />validatingwebhookconfigurations | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| apiextensions.k8s.io | customresourcedefinitions | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| apps | daemonsets<br />deployments<br />replicasets<br />statefulsets | \* | create<br />delete<br />deletecollection<br />get<br />list<br />patch<br />update<br />watch |
| apps | daemonsets/finalizers<br />deployments/finalizers<br />replicasets/finalizers<br />statefulsets/finalizers | \* | update |
| apps | daemonsets/status<br />deployments/status<br />statefulsets/status | \* | get |
| autoscaling | horizontalpodautoscalers | \* | create<br />delete<br />patch<br />update |
| batch | cronjobs | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| coordination.k8s.io | leases | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| odigos.io | \* | \* | \* |
| odigos.io | collectorsgroups/finalizers<br />sources/finalizers | \* | update |
| odigos.io | collectorsgroups/status<br />destinations/status<br />instrumentationconfigs/status<br />instrumentationinstances/status | \* | get<br />list<br />patch<br />update<br />watch |
| odigos.io | instrumentationrules/status | \* | get<br />patch<br />update |
| operator.odigos.io | odigos | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| operator.odigos.io | odigos/finalizers | \* | update |
| operator.odigos.io | odigos/status | \* | get<br />patch<br />update |
| policy | podsecuritypolicies | privileged | use |
| rbac.authorization.k8s.io | clusterrolebindings<br />clusterroles<br />rolebindings<br />roles | \* | create<br />delete<br />get<br />list<br />patch<br />update<br />watch |
| security.openshift.io | securitycontextconstraints | \* | use |
| authentication.k8s.io | tokenreviews | \* | create |
| authorization.k8s.io | subjectaccessreviews | \* | create |

